From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Wed 16 Mar 2005 - 21:44:34 GMT
On Wed, Mar 16, 2005 at 06:58:23PM +0100, Ulrich Weber wrote:
> Hi all,
> because my vserver provider was unable to disable CAP_NET_RAW (all other
> customers want to use ping) I did some reseach on the topic.
> Attached please find a workaround patch to use ping without SUID (I got
> the inspiration from VXC_RAW_ICMP in vServer 1.9.4).
> I have no vserver installed, so I tested the attached patch in an
> user-mode-linux instance where it worked.
> Hope it works for vserver with CAP_NET_RAW disabled too.
> Is it possible to add this patch to the next stable release ?
well, basically I have no problem with that, but you have
to convince me that it doesn't introduce a security hole
itself, and I'd prefer to make it at least a compile time
option, so that folks concerned about security can disable
it (but that's trivially done)
> Best regards
> diff -Nru linux-2.4.27.org/net/ipv4/af_inet.c linux-2.4.27/net/ipv4/af_inet.c
> --- af_inet.c 2005-03-16 18:39:54.000000000 +0100
> +++ af_inet.c 2005-03-16 18:39:43.000000000 +0100
> @@ -352,7 +352,7 @@
> if (!answer)
> goto free_and_badtype;
> - if (answer->capability > 0 && !capable(answer->capability))
> + if ((protocol != IPPROTO_ICMP) && (answer->capability > 0) &&
> goto free_and_badperm;
> if (!protocol)
> goto free_and_noproto;
> Vserver mailing list
Vserver mailing list